To generate the keys and the certificate file, you've several options. One is apache2-ssl-certificate. Another one is using OpenSSL. Just for the records, if you don't want a self-signed cert, the steps are exactly the same, it's just you have to send the generated CSR to a CA (plus pay their hilariously overpriced fee) and they will send you back the certfile to be used with SSLCertificateFile. Just a sidenote, you probably don't want to protect your private key with a passphrase, as that would mean every time you restart apache2 you'll be prompted for it.